This is an email from Pattern Matching, a newsletter by OneZero.
The Problem With Banning TikTok
The Twitter hack reminds us that American social platforms are a security risk, too
Welcome back to Pattern Matching, OneZero’s weekly newsletter that puts the week’s most compelling tech stories in context. I’m Will Oremus, senior writer at OneZero.
Just when the whole tech world was talking about the United States potentially banning the wildly popular video app TikTok as a national security threat, Twitter went and got hacked in just about the most public way possible. The takeover of some of the platform’s largest accounts — the full ramifications of which are not yet known — served as an object lesson in the insecurity of Silicon Valley’s own largest social platforms.
Your social media platform is not secure:
- Slowly at first, and then with startling rapidity, a daring hack unfolded on Twitter over a period of a few hours on Wednesday afternoon. Starting around 3 p.m. ET, popular Twitter accounts associated with the cryptocurrency community began to tweet, one by one, scam messages inviting people to send bitcoin to a specific wallet address in order to receive more bitcoin in return. The takeover then spread swiftly to the accounts of dozens of Twitter’s most popular verified accounts, including those of Elon Musk, Bill Gates, Apple, Kanye West, and Joe Biden, with a new big name falling prey every few minutes. The Block Crypto has a helpful timeline of how the hack unfolded. All told, the wallets appear to have raked in some $120,000 from the ruse, which is both a lot of money and rather a paltry sum compared to the magnitude and audacity of the breach.
- Which raised the troubling question: Is the money really all the hackers were after? A far more worrying possibility was that the hackers could have gained access to the private data of the users whose accounts they hijacked, especially their private direct messages to other Twitter users. In theory, those could be used to extort, embarrass, or gain intelligence on influential public figures, including the man who may be the next president of the United States. In 2016, for instance, Kremlin-linked hackers infiltrated the communications of the Democratic National Committee and the Hillary Clinton campaign, among others. On Friday, Twitter reported that up to eight of the compromised accounts may have had their DMs and other sensitive information breached via the platform’s tool that lets you download an archive of all your data. However, the company said none of those accounts were verified, which, if true, would imply they were not high-value targets such as Biden.
- On Friday evening, the New York Times’ Kate Conger and Nathaniel Popper published an inside account of the hack, based on interviews with several people involved, which suggested that it was neither sophisticated nor state-backed. “Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.” The hackers claimed that what initially seemed like a fun prank focused on smaller accounts had spiraled out of control.
- As with the 2016 DNC hack, it appears that the exploited security flaw in this case was human weakness. Hackers gained access to the accounts through the administrative tools of one or more Twitter employees, the company reported. Twitter called it a “coordinated social engineering attack,” which would seem to imply that employees were tricked into giving away their credentials, e.g. by spear-phishing. But a source who claimed to be one of the hackers also told Motherboard they paid a Twitter employee to do most of the work on their behalf, and shared screenshots of the internal tools they allegedly used to control the accounts involved. An investigation by Krebs on Security suggested that the hack was carried out by changing the email address tied to each account, and identified a suspect who was previously involved in the hack of Jack Dorsey’s Twitter account last year. Meanwhile, the New York Times identified the Twitter insider, who goes by “Kirk” on Discord, as the one who initiated the idea. Regardless, the hack made clear that Twitter urgently needs to tighten its security around administrative controls. (Relatedly, OneZero’s Owen Williams wrote in March about the potential for abuse of tech companies’ “God mode” controls.) Bloomberg’s Tae Kim has more on what the hack tells us about Twitter.
- The Twitter story stole the spotlight from what had been the week’s dominant tech narrative, which was the possibility that the United States might ban TikTok. I wrote about that in last week’s Pattern Matching, and momentum continued to build this week. A Trump official said action of some sort against the China-owned app could come within weeks, and Republican Sen. Josh Hawley introduced a bill to prohibit federal employees from using it on their government-issued devices. The calls focus on TikTok’s Chinese ownership, and the concern that the Chinese government might use it as a tool of spycraft or influence. What they have lacked, so far, is specific evidence that that is in fact happening.
- It isn’t only the GOP that sees TikTok as a threat. In his influential newsletter Stratechery, analyst Ben Thompson makes the “reluctant” case for a ban, unless ByteDance is willing to sell TikTok to non-Chinese owners. He cites the prospect of ByteDance manipulating TikTok’s potent recommendation algorithm to push propaganda as a greater threat than the Chinese government harvesting user data.
- Without downplaying the fears about TikTok, speculative as they may be, it’s worth carefully thinking through the implications of a ban before anyone rushes to support it. The most immediate beneficiary would likely be Facebook, which conveniently is preparing to launch a copycat product called Instagram Reels in the coming weeks. Other social media platforms would no doubt race to capture the huge and lucrative share of attention that TikTok now commands, especially among young people.
- Facebook, of course, has an actual track record of being exploited by foreign powers, including to manipulate elections. And this week, Twitter reminded us that it, too, presents national security vulnerabilities, given its importance as a platform for heads of state and other influential figures. In fact, on the very day of the hack, researchers had released a report that found Twitter’s security flaws pose a unique threat to nuclear diplomacy, as Corinne Purtill reported for OneZero. Given that finding, bad actors on the platform sending out misinformation under the handle of world leaders could have deadly consequences.
- This is not to say that Facebook and Twitter should be banned, too, or that TikTok should not. Realistically, no communications platform is foolproof. But vast, for-profit, algorithmically driven, advertising-dependent social platforms present a particular class of risks due to their intensive collection of personal data, design features that make them ripe for manipulation (which is a selling point for advertisers), and opaque algorithms that determine which information millions of people receive and which they don’t.
- TikTok’s Chinese ownership, coupled with the Chinese government’s unfettered power over Chinese companies, suggests an additional vector of attack. It’s not crazy for the federal government, or defense contractors, to think about barring employees from using it on their work devices; neither would it necessarily be crazy for them to think about doing the same for Facebook or Twitter. But a national ban would be a far more extreme step — one that would embolden governments and leaders around the world with authoritarian leanings to ban online speech platforms for their own self-serving reasons, including to crush dissent. Anyone who doubts the domino effect need only look at how India’s recent TikTok ban helped to normalize the idea in the United States. Kurt Opsahl, general counsel for the nonprofit Electronic Frontier Foundation, told me via email that a full ban on TikTok would likely require an act of Congress, and “would raise First Amendment issues” since courts have established that code is speech.
- Even if it could be done legally, any action so drastic ought to be rooted in a coherent understanding of the risks that all social networks pose, including those headquartered in Silicon Valley, which the U.S. government has proven reluctant to meaningfully regulate at all. In short, it makes no sense to ban TikTok without also addressing, in a very serious way, the threats to democracy and security posed by the leading U.S.-based alternatives. If you see calls for the former without the latter, they’re either ill-considered or disingenuous.
Under-the-radar trends, stories, and random anecdotes worth your time:
- The “proptech” industry is booming. Short for “property technology,” the coinage refers to the rise of modern tools for making real estate and property management more lucrative — often by enabling discrimination against already marginalized groups, Avi Asher-Schapiro reports for the Thomson Reuters Foundation. Applications range from “security systems to tenant-screening algorithms to digital rental platforms, and global investments in the sector tripled between 2018 and 2019, according to the story.
- Parler is “already falling apart,” according to the Daily Beast’s Will Sommer, as conservatives who initially flocked to the Twitter alternative find less engagement there. OneZero’s Sarah Emerson previously reported that the purportedly free-speech-friendly platform’s slapdash terms of service weren’t actually much less restrictive than Twitter’s.
- Speaking of Twitter, a pop-up notification that the platform pushed out to some users this week doubled as a textbook example of dark patterns, attorney and privacy expert Lindsey Barrett pointed out. “You’re in control,” the notification assured users who had opted out of ad targeting, then nudged them via design cues to “turn on personalized ads” in order to close the notification window and get back to their Twitter feed. The other option, “keep less relevant ads,” was presented as the non-recommended alternative, even though it was in fact the default for the people who were shown the pop-up. The term “dark patterns,” which refers to user interfaces that trick people into doing things they didn’t mean to, was popularized by the designer Harry Brignull; a website and Twitter account are devoted to tracking examples of them in action.
Headlines of the Week
— Paul Ford, Wired
— Sean McDonald, Centre for International Governance Innovation
— Sarah Kessler, OneZero
Thanks for reading. Reach me with tips and feedback by responding to this post on the web, via Twitter direct message at @WillOremus, or by email at email@example.com.